b"                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n                                   Final Audit Report\n\nSubject:\n\n\n\n\n               AUDIT OF INFORMATION SYSTEMS\n            GENERAL AND APPLICATION CONTROLS AT\n                      EMBLEMHEALTH\n\n\n                                            Report No. 1D-80-00-12-045\n\n                                            Date:                 December 10, 2012\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n\n\n              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                         CONTRACTS 1056 & 2655\n                                                   EMBLEMHEALTH\n                           PLAN CODES 6V1 / 6V2 / X41 / X42 / 801 / 802\n                                          804 / 805 / 511 / 512 / 514 / 515\n                                            NEW YORK, NEW YORK\n\n\n\n                                             Report No. 1D-80-00-12-045\n\n                                            Date:               December 10, 2012\n\n\n\n\n                                                                                             ________________________\n                                                                                             Michael R. Esser\n                                                                                             Assistant Inspector General\n                                                                                               for Audits\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                   Executive Summary\n\n\n\n          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                     CONTRACTS 1056 & 2655\n                                     EMBLEMHEALTH\n                   PLAN CODES 6V1 / 6V2 / X41 / X42 / 801 / 802\n                              804 / 805 / 511 / 512 / 514 / 515\n                                NEW YORK, NEW YORK\n\n\n\n\n                               Report No. 1D-80-00-12-045\n\n                               Date:          December 10, 2012\n\n\n\nThis final report discusses the results of our audit of general and application controls over the\ninformation systems at EmblemHealth. EmblemHealth has separate plans that service federal\nemployees: GHI Health Plan, GHI HMO Select Plans, and HIP Health of Greater New York.\n\nOur audit focused on the claims processing applications used to adjudicate Federal Employees\nHealth Benefits Program (FEHBP) claims for EmblemHealth, as well as the various processes\nand information technology (IT) systems used to support these applications. We documented\ncontrols in place and opportunities for improvement in each of the areas below.\n\nSecurity Management\nEmblemHealth has established a series of IT policies and procedures to create an awareness of\nIT security at the Plan. We also verified that EmblemHealth has adequate human resources\npolicies related to the security aspects of hiring, training, transferring, and terminating\nemployees.\n\n\n\n\n                                                 i\n\x0cAccess Controls\nEmblemHealth has implemented numerous controls to grant and remove physical access to its\ndata center, as well as logical controls to protect sensitive information. However, we did note\nopportunities for improvement related to EmblemHealth\xe2\x80\x99s authentication controls over physical\naccess to the data centers as well as the method for encrypting emails containing PII.\nEmblemHealth has since remediated all of these weaknesses.\n\nConfiguration Management\nEmblemHealth has developed formal policies and procedures that provide guidance to ensure\nthat system software is appropriately configured and updated, as well as for controlling system\nsoftware configuration changes. However, we noted several weaknesses in EmblemHealth\xe2\x80\x99s\nconfiguration management program related to mainframe, server, and database system\nconfigurations. EmblemHealth has since remediated several of these weaknesses and is working\nto implement the necessary changes for the remaining vulnerabilities.\n\nContingency Planning\nWe reviewed EmblemHealth\xe2\x80\x99s business continuity plans and concluded that they contained most\nof the key elements suggested by relevant guidance and publications. We also determined that\nthese documents are reviewed and updated on a periodic basis.\n\nClaims Adjudication\nEmblemHealth has implemented many controls in its claims adjudication process to ensure that\nFEHBP claims are processed accurately. However, we recommended that EmblemHealth\nimplement a tool to facilitate automation of its application configuration change process.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nNothing came to our attention that caused us to believe that EmblemHealth is not in compliance\nwith the HIPAA security, privacy, and national provider identifier regulations.\n\n\n\n\n                                               ii\n\x0c                                                                   Contents\n                                                                                                                                                 Page\nExecutive Summary ............................................................................................................................ i\n I. Introduction ................................................................................................................................... 1\n    Background ................................................................................................................................... 1\n    Objectives ...................................................................................................................................... 1\n    Scope ............................................................................................................................................. 2\n    Methodology ................................................................................................................................. 2\n    Compliance with Laws and Regulations ....................................................................................... 3\nII. Audit Findings and Recommendations ......................................................................................... 4\n    A. Security Management ............................................................................................................... 4\n    B. Access Controls ........................................................................................................................ 4\n    C. Configuration Management ...................................................................................................... 6\n    D. Contingency Planning ............................................................................................................. 10\n    E. Claims Adjudication ............................................................................................................... 10\n    F. Health Insurance Portability and Accountability Act ............................................................. 13\nIII. Major Contributors to This Report ............................................................................................ 14\n\n  Appendix: EmblemHealth\xe2\x80\x99s September 14, 2012 response and subsequent October 12, 2012\n            amendment, to the draft audit report issued July 12, 2012.\n\x0c                                       I. Introduction\nThis final report details the findings, conclusions, and recommendations resulting from the audit\nof general and application controls over the information systems responsible for processing\nFederal Employees Health Benefits Program (FEHBP) claims at EmblemHealth.\n\nThe audit was conducted pursuant to FEHBP contracts CS 1056 and CS 2655; 5 U.S.C. Chapter\n89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by\nthe U.S. Office of Personnel Management\xe2\x80\x99s (OPM) Office of the Inspector General (OIG), as\nestablished by the Inspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created to provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\nOPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nThis was our first audit of EmblemHealth\xe2\x80\x99s general and application controls. We also reviewed\nEmblemHealth\xe2\x80\x99s compliance with the Health Insurance Portability and Accountability Act\n(HIPAA).\n\nAll EmblemHealth personnel that worked with the auditors were helpful and open to ideas and\nsuggestions. They viewed the audit as an opportunity to examine practices and to make changes\nor improvements as necessary. Their positive attitude and helpfulness throughout the audit was\ngreatly appreciated.\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability of FEHBP data processed and maintained in EmblemHealth\xe2\x80\x99s IT environment.\nWe accomplished these objectives by reviewing the following areas:\n\xe2\x80\xa2   Security management;\n\xe2\x80\xa2   Access controls;\n\xe2\x80\xa2   Configuration management;\n\xe2\x80\xa2   Segregation of duties;\n\xe2\x80\xa2   Contingency planning;\n\xe2\x80\xa2   Application controls specific to EmblemHealth\xe2\x80\x99s claims processing systems; and,\n\xe2\x80\xa2   HIPAA compliance.\n\n\n\n\n                                                  1\n\x0cScope\nThis performance audit was conducted in accordance with generally accepted government\nauditing standards issued by the Comptroller General of the United States. Accordingly, we\nobtained an understanding of EmblemHealth\xe2\x80\x99s internal controls through interviews and\nobservations, as well as inspection of various documents, including information technology and\nother related organizational policies and procedures. This understanding of EmblemHealth\xe2\x80\x99s\ninternal controls was used in planning the audit by determining the extent of compliance testing\nand other auditing procedures necessary to verify that the internal controls were properly\ndesigned, placed in operation, and effective.\n\nEmblemHealth has separate plans that service federal employees: two Health Maintenance\nOrganization plans referred to as GHI-HMO and HIP-HMO; and a fee-for-service plan, GHI.\n\nThe scope of this audit centered on the information systems used by EmblemHealth to process\nmedical insurance claims for FEHBP members, with a primary focus on their claims adjudication\napplications. Three separate systems are used to process claims at EmblemHealth: one for GHI\nprofessional claims, one for GHI facility claims, and a third for both GHI-HMO and HIP-HMO\nclaims. The business processes reviewed are primarily located in EmblemHealth\xe2\x80\x99s New York,\nNew York facilities.\n\nThe on-site portion of this audit was performed in April and May of 2012. We completed\nadditional audit work before and after the on-site visit at our office in Washington, D.C. The\nfindings, recommendations, and conclusions outlined in this report are based on the status of\ninformation system general and application controls in place at EmblemHealth as of May 2012.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nEmblemHealth. Due to time constraints, we did not verify the reliability of the data used to\ncomplete some of our audit steps but we determined that it was adequate to achieve our audit\nobjectives. However, when our objective was to assess computer-generated data, we completed\naudit steps necessary to obtain evidence that the data was valid and reliable.\n\nMethodology\nIn conducting this review we:\n\xe2\x80\xa2   Gathered documentation and conducted interviews;\n\xe2\x80\xa2   Reviewed EmblemHealth\xe2\x80\x99s business structure and environment;\n\xe2\x80\xa2   Performed a risk assessment of EmblemHealth\xe2\x80\x99s information systems environment and\n    applications, and prepared an audit program based on the assessment and the Government\n    Accountability Office\xe2\x80\x99s (GAO) Federal Information System Controls Audit Manual\n    (FISCAM); and,\n\xe2\x80\xa2   Conducted various compliance tests to determine the extent to which established controls and\n    procedures are functioning as intended. As appropriate, we used judgmental sampling in\n    completing our compliance testing. Results of samples that are judgmentally or randomly\n    selected cannot be projected to the population since it is unlikely that the results are\n    representative of the population as a whole.\n\n                                                2\n\x0cVarious laws, regulations, and industry standards were used as a guide to evaluating\nEmblemHealth\xe2\x80\x99s control structure. These criteria include, but are not limited to, the following\npublications:\n\xe2\x80\xa2   Title 48 of the Code of Federal Regulations;\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, Appendix III;\n\xe2\x80\xa2   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xe2\x80\xa2   Information Technology Governance Institute\xe2\x80\x99s CobiT: Control Objectives for Information\n    and Related Technology;\n\xe2\x80\xa2   GAO\xe2\x80\x99s FISCAM;\n\xe2\x80\xa2   National Institute of Standards and Technology\xe2\x80\x99s Special Publication (NIST SP) 800-12,\n    Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n    Technology Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems and Organizations;\n\xe2\x80\xa2   NIST SP 800-61, Computer Security Incident Handling Guide;\n\xe2\x80\xa2   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n    Security Rule; and,\n\xe2\x80\xa2   HIPAA Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether EmblemHealth\xe2\x80\x99s practices\nwere consistent with applicable standards. While generally compliant, with respect to the items\ntested, EmblemHealth was not in complete compliance with all standards as described in the\n\xe2\x80\x9cAudit Findings and Recommendations\xe2\x80\x9d section of this report.\n\n\n\n\n                                                3\n\x0c                      II. Audit Findings and Recommendations\n\nA. Security Management\n  The security management component of this audit involved the examination of the policies and\n  procedures that are the foundation of EmblemHealth\xe2\x80\x99s overall IT security controls. We\n  evaluated EmblemHealth\xe2\x80\x99s ability to develop security policies, manage risk, assign security-\n  related responsibility, and monitor the effectiveness of various system-related controls.\n\n  EmblemHealth has implemented a series of formal policies and procedures that comprise its\n  security management program. EmblemHealth\xe2\x80\x99s Information Security group is responsible for\n  creating, reviewing, editing, and disseminating IT security policies. EmblemHealth has also\n  developed a thorough risk management methodology, and has procedures to document, track,\n  and mitigate or accept identified risks. We also reviewed EmblemHealth\xe2\x80\x99s human resources\n  policies and procedures related to hiring, training, transferring, and terminating employees.\n\n  Nothing came to our attention to indicate that EmblemHealth does not have an adequate security\n  management program.\n\nB. Access Controls\n  Access controls are the policies, procedures, and techniques used to prevent or detect\n  unauthorized physical or logical access to sensitive resources.\n\n  We examined the physical access controls at EmblemHealth\xe2\x80\x99s New York headquarters buildings\n  and its data center. We also examined the logical controls protecting sensitive data on\n  EmblemHealth\xe2\x80\x99s network environment and claims processing applications. Furthermore, we\n  conducted an automated network topology scan to verify that all known assets were included\n  within EmblemHealth\xe2\x80\x99s computer hardware inventory.\n\n  The access controls observed during this audit include, but are not limited to:\n  \xe2\x80\xa2   Procedures for appropriately granting physical access to facilities and data centers;\n  \xe2\x80\xa2   Procedures for revoking access to data centers for terminated employees;\n  \xe2\x80\xa2   Procedures for removing Windows/network access for terminated employees; and,\n  \xe2\x80\xa2   Controls to monitor and filter email and Internet activity.\n\n  However, the following sections document several opportunities for improvement related to\n  EmblemHealth\xe2\x80\x99s physical access and network environment controls.\n\n  1. Access to Data Center\n      EmblemHealth\xe2\x80\x99s primary data centers use stand-alone electronic card readers to control\n      physical access. However, we expect all FEHBP contractors to also have multi-factor\n      authentication (e.g., cipher lock or biometric device in addition to an access card) at all data\n      center entrances. In addition to this minimum requirement, the following list outlines\n      physical access controls that are common at other FEHBP carrier facilities:\n\n                                                    4\n\x0c   \xe2\x80\xa2   Piggybacking alarms to enter the computer room (alarm that sounds if more than one\n       person walks past a sensor for each access card that is swiped); and,\n   \xe2\x80\xa2   \xe2\x80\x9cMan-trap\xe2\x80\x9d entrances (small space with two locking doors where the first door must close\n       before the second opens).\n\n   Failure to implement adequate physical access controls increases the risk that unauthorized\n   individuals can gain access to EmblemHealth\xe2\x80\x99s data centers and the sensitive IT resources\n   and confidential data they contain. NIST SP 800-53 provides guidance for adequately\n   controlling physical access to information systems containing sensitive data.\n\n   Recommendation 1\n   We recommend that EmblemHealth reassess its data centers\xe2\x80\x99 physical access management\n   and implement controls that will improve physical security. At a minimum, EmblemHealth\n   should implement multi-factor authentication (e.g., cipher lock or biometric device in\n   addition to an access card) at data center entrances.\n\n   EmblemHealth Response:\n   \xe2\x80\x9cDual input card readers, that require both an access card and a PIN, were installed for\n   each entrance to the data center on September 12, 2012.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by EmblemHealth in response to the draft audit report indicates that\n   the Plan has implemented multi-factor authentication at data center entrances; no further\n   action is required.\n\n2. Email Encryption\n   We conducted a test of EmblemHealth\xe2\x80\x99s e-mail encryption program by asking an\n   EmblemHealth employee to send us sample e-mails containing personally identifiable\n   information (PII). We expected the encryption program to detect the PII and automatically\n   encrypt the emails. However, the application did not encrypt any of the e-mails.\n\n   OMB Memorandum M-07-16 recommends \xe2\x80\x9cusing encryption, strong authentication\n   procedures, and other security controls to make [PII] . . . unusable by unauthorized\n   individuals.\xe2\x80\x9d\n\n   Failure to implement adequate e-mail encryption controls increases the risk that unauthorized\n   individuals can access PII.\n\n   Recommendation 2\n   We recommend that EmblemHealth review its configuration settings for e-mail encryption to\n   ensure that all PII is appropriately protected.\n\n\n\n\n                                               5\n\x0c      EmblemHealth Response:\n      \xe2\x80\x9cWe have implemented the SSN lexicon for ZixSelect, the tool that we use to automatically\n      encrypt e-mail containing PHI. A single SSN will force the encryption. We acknowledge\n      the importance of the SSN as a key element of the e-mail and that it is PII vs. PHI . . . .\xe2\x80\x9d\n\n      OIG Reply:\n      The evidence provided by EmblemHealth in response to the draft audit report indicates that\n      the Plan has modified its e-mail encryption software to protect PII; no further action is\n      required.\n\nC. Configuration Management\n  EmblemHealth uses three claims adjudication applications: the GHI professional claims\n  processing system (MCS), the GHI facility claims processing system (HCS), and the GHI HMO\n  and HIP HMO claims processing system (QCare). We evaluated EmblemHealth\xe2\x80\x99s controls to\n  securely configure the mainframe, databases, and servers that support these applications. We\n  determined that the following controls are in place:\n  \xe2\x80\xa2   Controls for securely managing changes to the operating platform and claims processing\n      application;\n  \xe2\x80\xa2   Controls for monitoring privileged user activity on the operating platform; and,\n  \xe2\x80\xa2   Documented patch management procedures.\n\n  The sections below document areas for improvement related to EmblemHealth\xe2\x80\x99s configuration\n  management controls.\n\n  1. Mainframe System Configuration\n      EmblemHealth has a documented Mainframe Security Standard that outlines the approved\n      configuration of its mainframe security software. However, our review of EmblemHealth\xe2\x80\x99s\n      actual mainframe configuration identified several insecure settings. Although no settings\n      directly violated the Security Standard, we believe that the policy is not comprehensive\n      enough because it does not provide guidance on the specific settings in question. The\n      problems that were detected were detailed in the draft report, but due to the sensitive nature\n      of these findings, the specific settings in question will not be included in this report.\n\n      NIST SP 800-53 Revision 3 requires that the \xe2\x80\x9corganization develops, documents, and\n      maintains under configuration control, a current baseline configuration of the information\n      system.\xe2\x80\x9d The guidance also recommends that the organization review and update the\n      baseline configuration at an organization-defined frequency, when required to under\n      organization-defined circumstances, and as an integral part of the information system\n      component installations and upgrades.\n\n      Failure to have appropriate security configurations based on common security practices\n      increases the likelihood an attacker can gain access to sensitive data on the mainframe.\n\n\n                                                   6\n\x0c   Recommendation 3\n   We recommend that EmblemHealth make the appropriate configuration changes related to\n   the specific weaknesses identified during this audit.\n\n   EmblemHealth Response:\n   \xe2\x80\x9cWe have implemented four of the recommended configuration changes and will\n   implement an additional two on September 15, 2012. . . .\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by EmblemHealth in response to the draft audit report indicates that\n   the Plan has appropriately implemented several of the configuration changes we\n   recommended.\n\n   However, several configuration changes still need to be implemented to fully address this\n   recommendation. The details of the remaining weaknesses have been provided to\n   EmblemHealth and OPM\xe2\x80\x99s HIO. We recommend that EmblemHealth update HIO on its\n   progress to implement the remaining configuration settings.\n\n   Recommendation 4\n   We recommend that EmblemHealth update its Mainframe Security Standard to contain a\n   detailed secure mainframe baseline configuration.\n\n   EmblemHealth Response:\n   \xe2\x80\x9cWe updated the Mainframe Security Standard to include our approved baseline\n   configuration.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by EmblemHealth in response to the draft audit report indicates that\n   the Plan has appropriately updated its Mainframe Security Standard to include its baseline\n   configuration; no further action is required.\n\n2. Server and Database Configuration\n   EmblemHealth uses a third party vendor to periodically conduct vulnerability scans on its\n   information systems. As part of this audit, we conducted our own automated vulnerability\n   scans on a sample of EmblemHealth\xe2\x80\x99s systems (including 20 production servers and two\n   databases) to identify security vulnerabilities. Our scans detected a variety of insecure\n   configurations in EmblemHealth\xe2\x80\x99s environment. The list below outlines a high level\n   description of the problems that were detected, but due to the sensitive nature of these\n   findings, the details will not be included in this report. We determined that several servers\n   and/or databases:\n   \xe2\x80\xa2   Did not have critical patches, service packs, and hot fixes implemented in a timely\n       manner;\n   \xe2\x80\xa2   Are running operating systems and/or software that is no longer supported by the vendor;\n                                                7\n\x0c\xe2\x80\xa2   Do not have up-to-date antivirus software and/or virus definitions;\n\xe2\x80\xa2   Are running third party applications that were not appropriately updated or patched; and,\n\xe2\x80\xa2   Have password settings that are not in compliance with EmblemHealth\xe2\x80\x99s corporate\n    password policy.\n\nFISCAM states that \xe2\x80\x9cSoftware should be scanned and updated frequently to guard against\nknown vulnerabilities.\xe2\x80\x9d NIST SP 800-53 Revision 3 states \xe2\x80\x9cThe organization (including any\ncontractor to the organization) promptly installs security-relevant software updates (e.g.,\npatches, service packs, and hot fixes). Flaws discovered during security assessments,\ncontinuous monitoring, incident response activities, or information system error handling, are\nalso addressed expeditiously.\xe2\x80\x9d In addition, NIST SP 800-53 Revision 3 states that \xe2\x80\x9cThe\norganization configures the information system to provide only essential capabilities. . . .\xe2\x80\x9d\nAn organization should also review the information system to identify and eliminate\nunnecessary functions.\n\nFailure to promptly install important updates, implement least functionality to an information\nsystem, and implement appropriate authentication controls can increase the amount of\nexposed vulnerabilities and methods an intruder can use to gain unauthorized access to the\nsystem.\n\nRecommendation 5\nWe recommend that EmblemHealth implement proper procedures and controls to ensure that\nproduction servers are installed with appropriate patches, service packs, and hotfixes on a\ntimely basis.\n\nEmblemHealth Response:\n\xe2\x80\x9cWe analyzed the server problems and determined that the tool we were using, Ecora, was\nnot working as intended; we replaced this tool with ITCM and will monitor its\neffectiveness as we roll it out to the rest of the servers and databases. We have applied all\nof the fixes to the servers.\xe2\x80\x9d\n\nOIG Reply:\nThe evidence provided by EmblemHealth in response to the draft audit report indicates that\nthe Plan has appropriately patched the production servers; no further action is required.\n\nRecommendation 6\nWe recommend that EmblemHealth implement appropriate procedures and controls to ensure\nthat only current and supported versions of system software are installed on the production\nservers.\n\nEmblemHealth Response:\n\xe2\x80\x9cSeveral of our legacy in-house-developed applications are dependent on an older\noperating system. We are looking at new architecture to replace them. In the meantime,\n\n\n                                            8\n\x0cwe cannot upgrade the operating systems to supported versions because of the adverse\nimpact that would have on our customers and our business.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that EmblemHealth update OPM\xe2\x80\x99s\nHIO on its progress to implement new architecture and to ensure that only current and\nsupported versions of system software are installed on the production servers.\n\nRecommendation 7\nWe recommend that EmblemHealth implement appropriate procedures and controls to ensure\nthat anti-virus software definitions are up-to-date on all production servers.\n\nEmblemHealth Response:\n\xe2\x80\x9cInformation Security is now reviewing Anti-virus signatures on all servers via the EPO\nconsole on a daily basis. This task was added to the Daily Checklist.\xe2\x80\x9d\n\nOIG Reply:\nThe evidence provided by EmblemHealth in response to the draft audit report indicates that\nthe Plan has updated its procedures to ensure anti-virus definitions are current on all\nproduction servers; no further action is required.\n\nRecommendation 8\nWe recommend that EmblemHealth review its current system configurations to ensure that\nonly necessary software is installed on the production servers.\n\nEmblemHealth Response:\n\xe2\x80\x9cWe have reviewed the Nessus reports and are in the process of identifying and removing\nunnecessary software. Going forward, we have a standard build for new servers to ensure\nthat unnecessary software is not installed, and we will perform periodic reviews to ensure\nthat we are at either emerging or current status for our operating systems.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that EmblemHealth update OPM\xe2\x80\x99s\nHIO on its progress to identify and remove unnecessary software. EmblemHealth should\nalso provide HIO with evidence of the first annual review.\n\nRecommendation 9\nWe recommend that EmblemHealth implement appropriate controls to ensure that user\naccounts on system databases comply with corporate password policies.\n\nEmblemHealth Response:\n\xe2\x80\x9cPasswords on the database are now in compliance with EmblemHealth's Password\nStandard.\xe2\x80\x9d\n                                        9\n\x0c      OIG Reply:\n      The evidence provided by EmblemHealth in response to the draft audit report indicates that\n      the Plan has appropriately changed its database settings to match their corporate password\n      policy; no further action is required.\n\nD. Contingency Planning\n  We reviewed the following elements of EmblemHealth\xe2\x80\x99s contingency planning program to\n  determine whether controls were in place to prevent or minimize interruptions to business\n  operations when disastrous events occur:\n  \xe2\x80\xa2   Disaster response plan;\n  \xe2\x80\xa2   Business continuity plan for data center operations;\n  \xe2\x80\xa2   Business continuity plans for legacy GHI claims processing operations and claims support;\n  \xe2\x80\xa2   Disaster recovery plan tests conducted in conjunction with the recovery site; and,\n  \xe2\x80\xa2   Emergency response procedures and training.\n\n  We determined that the service continuity documentation contained the critical elements\n  suggested by NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for Information Technology\n  Systems.\xe2\x80\x9d EmblemHealth has identified and prioritized the systems and resources that are\n  critical to business operations, and has developed detailed procedures to recover those systems\n  and resources.\n\n  Nothing came to our attention to indicate that EmblemHealth has not implemented adequate\n  controls related to contingency planning.\n\nE. Claims Adjudication\n  The following sections detail our review of the applications and business processes supporting\n  EmblemHealth\xe2\x80\x99s claims adjudication process.\n\n  1. Application Configuration Management\n      We evaluated the policies and procedures governing software development and change\n      control of EmblemHealth\xe2\x80\x99s claims processing applications.\n\n      EmblemHealth has policies and procedures related to application configuration management.\n      EmblemHealth has adopted a thorough system development life cycle methodology that IT\n      personnel follow during routine software modifications. We observed the following controls\n      related to testing and approvals of software modifications:\n      \xe2\x80\xa2   EmblemHealth has adopted practices that allow modifications to be tracked throughout\n          the change process;\n      \xe2\x80\xa2   Code, unit, system, and quality testing are all conducted in accordance with industry\n          standards; and,\n      \xe2\x80\xa2   EmblemHealth uses a separate business unit to move the code between development and\n          production to ensure adequate segregation of duties.\n\n\n                                                 10\n\x0c   However, the configuration management process relies heavily on manual effort and could\n   be improved with the implementation of automated tools. EmblemHealth has explored the\n   option of implementing a change management tool and is considering a second pilot. The\n   tool would force all steps in the change management process to occur in order with all\n   required documentation and approvals in place before moving code into production. An\n   automated tool would reduce the risk of human error and the movement of code without\n   approved and complete change packages.\n\n   Recommendation 10\n   We recommend that EmblemHealth install and implement an automated tool to facilitate the\n   application configuration management process.\n\n   EmblemHealth Response:\n   \xe2\x80\x9cWe are in the process of customizing [redacted] for EmblemHealth\xe2\x80\x99s environment for\n   implementation in 2013. In the meantime, we have implemented an additional tool to\n   replace part of our existing mainframe implementation process and continue to be very\n   diligent about our manual procedures.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that EmblemHealth update OPM\xe2\x80\x99s\n   HIO on its progress to implement a change management tool.\n\n2. Claims Processing System\n   We evaluated the input, processing, and output controls associated with EmblemHealth\xe2\x80\x99s\n   claims adjudication systems. We determined that EmblemHealth has implemented policies\n   and procedures to help ensure that:\n\n   \xe2\x80\xa2   Claims scheduled for payment are actually paid;\n   \xe2\x80\xa2   Claims are monitored as they are processed through the systems with real time tracking\n       of the system\xe2\x80\x99s performance; and,\n   \xe2\x80\xa2   Paper claims that are received in the mail room are tracked to ensure timely processing\n       (aging reports).\n\n   We do not have any concerns regarding EmblemHealth\xe2\x80\x99s claims processing policies and\n   procedures.\n\n3. Enrollment\n   We evaluated EmblemHealth\xe2\x80\x99s procedures for managing its database of member enrollment\n   data. Changes to member enrollment information are primarily received via an encrypted\n   electronic transmission. Changes to enrollment are predominately automated. Exceptions\n   that require manual processing are identified during an overnight batch process that generates\n   a report of manual enrollment changes. These updates are then manually entered into the\n   enrollment system. EmblemHealth has an audit function for each step of the enrollment\n   process that requires manual data manipulation.\n\n                                              11\n\x0c  We do not have any concerns regarding EmblemHealth\xe2\x80\x99s enrollment policies and procedures.\n\n4. Debarment\n  EmblemHealth has adequate procedures for updating its claim system with debarred provider\n  information, and the Plan routinely audits its debarment database for accuracy.\n\n  EmblemHealth downloads the OPM OIG debarment list every month and compares it to its\n  provider maintenance file. Any debarred providers that appear in EmblemHealth\xe2\x80\x99s provider\n  master database are flagged to prevent claims submitted by that provider from processing\n  successfully during the claims adjudication process.\n\n  However, EmblemHealth\xe2\x80\x99s debarment procedures do not comply with OPM\xe2\x80\x99s \xe2\x80\x9cGuidelines\n  for Implementation of FEHBP Debarment and Suspension Orders.\xe2\x80\x9d EmblemHealth\xe2\x80\x99s claim\n  payment guidelines state that \xe2\x80\x9cAll claims will be denied the first day following the date of the\n  debarment/mandatory termination.\xe2\x80\x9d OPM\xe2\x80\x99s Guidelines for Implementation of FEHBP\n  Debarment and Suspension Orders state that claims should be paid during a 15 day \xe2\x80\x9cgrace\n  period\xe2\x80\x9d after members have been notified that a doctor has been debarred.\n\n  Recommendation 11\n  We recommend that EmblemHealth make the appropriate changes to its debarment policies\n  and procedures to comply with OPM\xe2\x80\x99s Guidelines for Implementation of Federal Employees\n  Health Benefits Program Debarment and Suspension Orders.\n\n  Recommendation 12\n  We recommend that EmblemHealth make the appropriate changes to their claims processing\n  systems to ensure FEHBP claims are processed in accordance with OPM\xe2\x80\x99s Guidelines for\n  Implementation of Federal Employees Health Benefits Program Debarment and Suspension\n  Orders.\n\n  EmblemHealth Response:\n  \xe2\x80\x9cWe are in agreement with both recommendations. Based on these recommendations\n  EmblemHealth has taken the opportunity to reinforce the policies and procedures followed\n  in support of the Guidelines.\n\n  All of the necessary and appropriate protocols specified in the FEHB contract are now in\n  place. These important functions have been reviewed in detail to make sure all of the\n  specific responsibilities are appropriately applied to all FEHBP claims. Comprehensive\n  policies and procedures have been implemented to provide a seamless member transition\n  from debarment of health care providers by OPM.\xe2\x80\x9d\n\n  OIG Reply:\n  The evidence provided by EmblemHealth in response to the draft audit report indicates that\n  the Plan has appropriately updated its policies and procedures and made the system\n\n\n                                              12\n\x0c     modification to ensure compliance with OPM guidelines; no further action is required for\n     either recommendation 11 or 12.\n\n  5. Special Investigations and Fraud\n     The OIG evaluated the EmblemHealth policies and procedures governing special\n     investigations and fraud. We determined that EmblemHealth has substantial policies and\n     procedures in place to detect, manage, and report fraud.\n\n     There were no areas of improvement noted during our review.\n\n  6. Application Controls Testing\n     We conducted a test on EmblemHealth\xe2\x80\x99s claims adjudication applications to validate the\n     systems\xe2\x80\x99 claims processing controls. The exercise involved processing test claims designed\n     with inherent flaws and evaluating the manner in which EmblemHealth\xe2\x80\x99s systems\n     adjudicated the claims. Test claims were submitted for MCS, HCS, and QCare.\n\n     Our test results indicate that all three systems have controls and system edits in place to\n     identify the following scenarios:\n     \xe2\x80\xa2   Gender/Procedure inconsistencies;\n     \xe2\x80\xa2   Provider/Procedure inconsistencies;\n     \xe2\x80\xa2   Timely filing;\n     \xe2\x80\xa2   Enrollment inconsistencies;\n     \xe2\x80\xa2   Invalid date of service;\n     \xe2\x80\xa2   Overlapping hospital stays; and,\n     \xe2\x80\xa2   Duplicate and near duplicate claims.\n\nF. Health Insurance Portability and Accountability Act\n  We reviewed EmblemHealth\xe2\x80\x99s efforts to maintain compliance with the security and privacy\n  standards of HIPAA.\n\n  EmblemHealth has implemented a series of IT security policies and procedures to adequately\n  address the requirements of the HIPAA security rule. EmblemHealth has also developed a series\n  of privacy policies and procedures that address all requirements of the HIPAA privacy rule.\n  EmblemHealth uses HIPAA regulations as the baseline for the creation of its policies. The plan\n  has designated a Privacy Official who is responsible for ensuring EmblemHealth\xe2\x80\x99s compliance\n  with HIPAA Privacy and Security regulations. EmblemHealth employees receive annual\n  compliance training that encompasses HIPAA regulations.\n\n  We do not have any concerns regarding EmblemHealth\xe2\x80\x99s compliance with the various\n  requirements of HIPAA regulations.\n\n\n\n\n                                                  13\n\x0c                    III. Major Contributors to This Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                   Group Chief\n\xe2\x80\xa2                    , Senior Team Leader\n\xe2\x80\xa2                 Auditor-In-Charge\n\xe2\x80\xa2                       , IT Auditor\n\xe2\x80\xa2                  , IT Auditor\n\n\n\n\n                                              14\n\x0c\x0cRecommendation #1\n\nWe recommend that EmblemHealth reassess its data centers\xe2\x80\x99 physical access management and\nimplement controls that will improve physical security. At a minimum, EmblemHealth should\nimplement multi-factor authentication (e.g., cipher lock or biometric device in addition to an\naccess card) at data center entrances.\nResponse #1\nDual input card readers, that require both an access card and a PIN, were installed for each\nentrance to the data center on September 12, 2012.\n\nRecommendation #2\nWe recommend that EmblemHealth review its configuration settings for e-mail encryption to\nensure that all PII is appropriately protected.\nResponse #2\nWe have implemented the SSN lexicon for ZixSelect, the tool that we use to automatically\nencrypt e-mail containing PHI. A single SSN will force the encryption. We acknowledge the\nimportance of the SSN as a key element of the e-mail and that it is PII vs. PHI. We cannot move\nbeyond that to encrypt mailing address, zip codes and/or state names because doing so would\ncause all e-mails with address information in the signature section to be encrypted.\n\nRecommendation #3\nWe recommend EmblemHealth make the appropriate configuration changes related to the\nspecific weaknesses identified during this audit.\nResponse #3\nWe have implemented four of the recommended configuration changes and will implement an\nadditional two on September 15, 2012.\n\n\n\n\n       **** REDACTED BY OPM/OIG DUE TO THE SENSITIVE NATURE OF THE\n                            INFORMATION****\n\n\n\n\nRecommendation #4\nWe recommend that EmblemHealth update its Mainframe Security Standard to contain a detailed\nsecure RACF baseline configuration.\n\x0cResponse #4\nWe updated the Mainframe Security Standard to include our approved baseline configuration.\n\nRecommendation #5\nWe recommend EmblemHealth implement appropriate procedures and controls to ensure that\nproduction servers are installed with appropriate patches, service packs, and hotfixes on a timely\nbasis.\nResponse #5\nWe analyzed the server problems and determined that the tool we were using, Ecora, was not\nworking as intended; we replaced this tool with ITCM and will monitor its effectiveness as we\nroll it out to the rest of the servers and databases. We have applied all of the fixes to the servers.\n\nRecommendation #6\nWe recommend EmblemHealth implement appropriate procedures and controls to ensure that\nonly current and supported versions of system software are installed on the production servers.\nResponse #6\nSeveral of our legacy in-house-developed applications are dependent on an older operating\nsystem. We are looking at new architecture to replace them. In the meantime, we cannot\nupgrade the operating systems to supported versions because of the adverse impact that would\nhave on our customers and our business.\n\nRecommendation #7\nWe recommend EmblemHealth implement appropriate procedures and controls to ensure that\nanti-virus software definitions are up-to-date on all production servers.\nResponse #7\nInformation Security is now reviewing Anti-virus signatures on all servers via the EPO console\non a daily basis. This task was added to the Daily Checklist.\n\nRecommendation #8\nWe recommend EmblemHealth review their current system configurations to ensure that only\nnecessary software is installed on the production servers.\nResponse #8\nWe have reviewed the Nessus reports and are in the process of identifying and removing\nunnecessary software. Going forward, we have a standard build for new servers to ensure that\nunnecessary software is not installed, and we will perform periodic reviews to ensure that we are\nat either emerging or current status for our operating systems.\n\nRecommendation #9\nWe recommend EmblemHealth implement appropriate controls to ensure that user accounts on\nsystem databases comply with corporate password policies.\nResponse #9\nWe plan to implement Oracle\xe2\x80\x99s OVD solution for the provider database. This will provide\nsingle-sign-on functionality for the application users, and Active Directory will enforce\ncompliance with corporate password policies. For the DBA accounts that cannot function\n\x0cproperly without direct access, we will use Oracle\xe2\x80\x99s native 10.g password options to enforce\ncompliance with corporate password policies.\n\n**10/12/12 Updated Response**\nPasswords on the database are now in compliance with EmblemHealth's Password Standard.\n\nRecommendation #10\nWe recommend EmblemHealth install and implement an automated tool to facilitate the\napplication configuration management process.\nResponse #10\nWe are in the process of customizing [REDACTED] for EmblemHealth\xe2\x80\x99s environment for\nimplementation in 2013. In the meantime, we have implemented an additional tool to replace\npart of our existing mainframe implementation process and continue to be very diligent about our\nmanual procedures.\n\nRecommendation #11\nWe recommend that EmblemHealth make the appropriate changes to its debarment policies\nand procedures to comply with all OPM\xe2\x80\x99s Guidelines for Implementation of Federal\nEmployees Health Benefits Program Debarment and Suspension Orders.\nRecommendation #12\nWe recommend that EmblemHealth make the appropriate changes to their claims processing\nsystems to ensure FEHBP claims are processed in accordance with OPM\xe2\x80\x99s Guidelines for\nImplementation of Federal Employees Health Benefits Program Debarment and Suspension\nOrders.\nResponse #11 and #12:\nWe are in agreement with both recommendations. Based on these recommendations\nEmblemHealth has taken the opportunity to reinforce the policies and procedures followed in\nsupport of the Guidelines.\n\nAll of the necessary and appropriate protocols specified in the FEHB contract are now in place.\nThese important functions have been reviewed in detail to make sure all of the specific\nresponsibilities are appropriately applied to all FEHBP claims. Comprehensive policies and\nprocedures have been implemented to provide a seamless member transition from debarment of\nhealth care providers by OPM.\n\nExpanded Protocols\nThe review resulted in expanded policies and procedures that more effectively support the\nspecific carrier responsibilities outlined in the Guidelines. These expanded protocols reinforce\nour obligations and have been successfully implemented. Also, the involved staff has been fully\ntrained on the newly expanded policies and procedures and the existing protocols have been\nreinforced. Policies and procedures that have been implemented, reinforced and expanded for all\nFEHBP claims include the following:\n    \xe2\x80\xa2 Securing the monthly OIG Debarment and Suspension lists.\n\n   \xe2\x80\xa2   Identifying providers located in the Emblem Health FEHBP service area.\n\x0c   \xe2\x80\xa2   Requesting any necessary information missing from the OIG listings so that authoritative\n       matches can be made.\n\n   \xe2\x80\xa2   Match all FEHBP claims of medical service and items against the continuously updated\n       OIG Debarment and Suspension list database. The FEHBP claims are automatically\n       matched against the database. Upon a match, one of three situation-appropriate notices\n       containing the required information is promptly issued to enrollees who receive services\n       from Debarred and Suspended providers. The following steps are also taken:\n\n           \xe2\x88\x92 Apply a 15-day grace period following the issuance of the notice and continue to\n             pay items and services provided during this time. A 30-grace period is applied to\n             facility claims if the member was not properly notified of debarment before the\n             service occurred.\n\n           \xe2\x88\x92 Payments are not made for items or services rendered more than 15 days after the\n             date of the notice to the enrollee.\n\n           \xe2\x88\x92 Exceptions that are sanctioned, approved or requested by OPM will be handled as\n             instructed.\n\n           \xe2\x88\x92 Deny further payments of claims after the date of debarment and suspension and\n             applicable grace periods.\n\n           \xe2\x88\x92 All information on the debarred and suspended providers, matched claims, issued\n             notices and related matters is available in corporate repositories accessible to\n             Customer Service representative to respond to any inquiries from providers,\n             FEHBP members and other involved parties.\n\n   \xe2\x80\xa2   FEHBP Claims are rejected if the claims for items or services are furnished more than 15\n       days after the date of enrollee notice unless the enrollee can demonstrate that they had not\n       received the notice when the items/services were furnished or Emblem Health knows that\n       the enrollee was specifically aware/notified of the provider\xe2\x80\x99s debarment or suspension.\n\n   \xe2\x80\xa2   Reports will continue to be issued to OIG in the prescribed format and schedule.\n\nEmblemHealth recognizes the importance of following the Debarment and Suspension Orders\nGuidelines and we continue our commitment to effectively administer all of the related activities.\n\x0c"